Secure quantum cryptographic network based on quantum key distribution 
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We present a protocol for quantum cryptographic network consisting of a quantum network center 
and many users, in which any pair of parties with members chosen from the whole users on request 
can secure a quantum key distribution by help of the center. The protocol is based on the quantum 
authentication scheme given by Barnum et al. [Proc. 43rd IEEE Symp. FOCS'02, p. 449 (2002)]. 
We show that exploiting the quantum authentication scheme the center can safely make two parties 
share nearly perfect entangled states used in the quantum key distribution. This implies that the 
quantum cryptographic network protocol is secure against all kinds of eavesdropping. 

PACS numbers: 03.67.Dd, 03.67.Hk, 03.65.Ud 



I. INTRODUCTION 

Quantum key distribution (QKD) has been consid- 
ered as a method for the perfectly secure communication 
which can compensate for the incompleteness of the clas- 
sical cryptography. Since the advent of the first QKD 
protocol presented by Bennett and Brassard 0, various 
kinds of quantum cryptographicprotocols based on QKD 
schemes between two users jj, y, |^ have been proposed, 
and the rigorous proofs of the security of the protocols 
have considerably been studied 

This implies that quantum cryptography has almost at- 
tained to the practical stage. 

The QKD protocol between two users can be general- 
ized into the communications between two parties, A and 
B, consisting of several members respectively Il3l Il4j . 
which use the quantum secret sharing protocol |l5| . 

For the communication among a lot of users, the the- 
ories on the quantum cryptographic network, in which 
several protocols are feasible on request, have been sug- 
gested [l^ IITI IT^ . The quantum cryptographic network 
usually requires a quantum network center, which con- 
nects any pair of parties by entangled states so that the 
two parties can perform a quantum key distribution by 
help of the center. 

Furthermore, employing the quantum network center, 
one can reduce the number of quantum channels used 
in quantum cryptographic network. In other words, in 
order for any pair of n users to communicate with each 
other, n(n — l)/2 quantum channels between any pairs of 
users are required in the quantum cryptographic network 
without a quantum network center, while only n quan- 
tum channels between the center and users are required 
in the quantum cryptographic network with a quantum 
network center. Therefore, the center's role can provide 



us with the efficient quantum cryptographic network as 
well as the secure network. 

In this paper, we present a protocol for the quan- 
tum cryptographic network, which is based on the quan- 
tum message authentication scheme presented by Bar- 
num et al. (191] . In order to show that the quantum 
cryptographic network protocol is secure, we first gen- 
eralize the quantum authentication scheme between two 
persons into the scheme between any pair of parties, and 
then prove that exploiting the quantum authentication 
scheme the center can safely make any pair of parties 
share nearly perfect entangled states used in the QKD so 
that the protocol is secure against all kinds of eavesdrop- 
ping. 

This paper is organized as follows. In Sec. |n] we 
briefly introduce the multipartite entangled states used 
in the QKD between two parties and their properties. In 
Sec, mil we present two protocols for the quantum crypto- 
graphic network. In Sec. ^3 we show that our protocols 
is secure against any eavesdropping. Finally, in Sec. 
we summarize our results. 



II. MULTIPARTITE ENTANGLED STATES 
AND THEIR PROPERTIES 



For a positive integer j, we define \^f) and I'^f) by 



l*.^> = ;^(|o^-)±|i^)), 



(1) 
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where |0) and |1) are the spin- up and the spin-down in 
the 2;-direction respectively, and t = ^—1. Then we can 
readily obtain the following decomposition relations ■ 
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TABLE I: The relations between the measurement outcomes 
of two parties A and B. 
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TABLE II: The relations between the measurement outcomes 
of three parties A, B, and C. 

For positive integers n and m satisfying n > m, 

= J_ d^r+M^-T \_^|^-\|^± \) 

= J_ d^r+Nl^i \ + \) (2) 

^^/2 V I m / I n— m/ ' \ m / \ n — m / } \ J 

We consider the case that each member of two parties 
A and B, consisting of m and n — m users respectively, 
possesses one particle of an n-particle state |$^), and 
that each member measures one's own particle in the x- 
or y-direction. For a party P (with / members), let yp be 
the number (modulo 4) of members of P who measure in 
the y-direction, yp — [3^p/2j, and A4p the sum (mod- 
ulo 2) of the measurement outcomes of all members in 
P. Then we straightforwardly obtain the following prop- 
erties from Eq. Q : If 3^p is even, then Mp(B yp is zero 
(or one) when they share \ ^^) (or j^'f )), where ® is the 
addition modulo 2. If yp is odd, then Mp (B ^p is zero 
(or one) when P has the state |^'/') (or |^';~)). 

Hence, we get the relations between outcomes of two 
parties and three parties as in the Table and m re- 
spectively. It follows from these relations that not only 
the QKD between any kinds of two parties, but also the 



QKD between two parties with a center's assistance are 
feasible if the y s hare the multi-particle entangled states 
such as |$+) 

III. PROTOCOLS FOR QUANTUM 
CRYPTOGRAPHIC NETWORK 

In this section, we construct two slightly different pro- 
tocols for quantum cryptographic network according as 
the center has a memory to store quantum information 
or does not have such a memory. If the center has the 
memory, then it can enhance the efficiency for the use 
of entangled states by reducing the number of discarded 
entangled states. 

Before presenting our protocol, we briefly review the 
results of the quantum message authentication presented 
by Barnum et al. To'l : The quantum authentication uses 
stabilizer codes based on a normal rational curve in the 
projective geometry. Barnum et al. proved that the set of 
the codes forms a stabilizer purity testing code with error 
e = 2r/(2* -I- 1), where each code encodes t = {r — \)s 
qubits into u — rs qubits, and also showed that a secure 
quantum authentication scheme can be obtained from the 
purity testing code. 



A. Protocol 1: QKD network without memory 

We now present the QKD protocol between two users 
or two parties which can securely be performed by help 
of the center's authentication for their states. Through- 
out the paper, we assume that C is considered as one 
quantum network center which is always trustful, and 
that A and B are two arbitrary parties which want to be 
connected by nearly perfect entangled states in order to 
communicate each other. The protocol is as follows: 

(1) Preprocessing: For each member ^ in ^ and -B, 
C and fjL agree on some stabilizer purity testing 
code and some private and random binary 
strings k(^), x(/x), and y{^J)■ 

(2) C prepares nt qubits in the state 1$+)*^*. We de- 
note one qubit of |$+) which will be transmitted 
to the member /i by /o(/i). 

(3) Performing some specific unitary operations corre- 
sponding to x(^), C encrypts p{n)^* = p(^) as 
r(^). 

(4) For the code Dk{fi) with syndrome y(/i), C encodes 
t{p) according to i?k(/j) to produce cr(/i). C sends 
tT(^) to the member ^. Let cr'(/i) be the state which 
^ receives. 

(5) Each member measures the syndrome y'(/i) of 
the code £'k;(/i) on a' (p) . Each member /i compares 
y{fi) to y'{fi) and aborts if any error is detected. 
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(6) According to -Dkf^), each member /i decodes cr'(/i) 
to obtain t'{^), and decrypts T'(/i) using x(/i), and 
then obtains a i-qubit state, /5'(/i). 

(7) /i randomly performs a measurement on each qubit 
of one's own state in the x- or y-dircction. 

After each member individuaUy carries out the 
above steps, each member in two parties takes t 
bits as measurement resuhs. Thus, in order to ob- 
tain sufficiently many bit strings, C and the two 
parties repeat the above steps as many times as 
necessary. 

(8) For all shared qubits, each member in two parties 
publicly announces the used directions, but not the 
obtained results. Then the two parties, A and B, 
obtain yA and ys- If yA © is odd then they 
discard the keys. Otherwise, A and B continue the 
next step. 

(9) A collector in A (B), gathers the outcomes to ob- 
tain Ma (Mb)- 

(10) Two parties A and B have a public discussion on a 
random subset of the obtained bits, which is used 
as the test bits, in order to detect an error which 
may occur in the previous procedure. 

If the parties find an error in this step, all shared 
keys are discarded, and they go back to Step (1). 
Otherwise, they obtain a final key string. 

We remark that the steps (9) and (10) are unnecessary 
when both of two parties A and B consist of only one 
member. 

We now review a method to obtain Ma (or Mb) pre- 
sented in IQ: We first assume that all members are or- 
dered and that the first member is the collector. This 
order need to be arbitrary. The collector chooses a ran- 
dom bit, which we will express as 'R\ adds it to his 
outcome modulo 2, and transfers the result to the second 
member. The second member transfers the next member 
the outcome plus the received one modulo 2. All mem- 
bers continue this procedure until the collector receives 
Ma®R {or Mb®R)- Then the collector obtains Ma (or 
Mb), which is Ma®R®R {or Mb® R®R)- However, 
anyone cannot know Ma (or M b) without acquiring the 
results of all members. 



B. Protocol 2: QKD network with memory 

In here, we introduce the protocol in which the center 
does not only authenticate quantum states but also joins 
in the procedure of the QKD scheme so that the entan- 
gled states employed in QKD can efficiently be used. The 
protocol can be obtained from modifying several steps in 
Protocol 1 as follows: 



(2') C prepares {n + l)t qubits in the state j^'^+i) ■ C 
stores t-qubit state p{C)®'^ = p{C) in his memory 
where p{C) is one qubit of 1$^^^). 

(7') Each member in the two parties, except the center 
C, randomly performs a measurement on each one 
qubit in the x- or y-direction. 

(8') (a) Each member in the two parties, except the 
center C, publicly announces the used direc- 
tions, but not the obtained results. Then A, 
B, and C obtain yA and 3^^. 

(b) According to the values of yA and J^b, C per- 
forms a measurement on his particle which is 
in the state p{C) so that J^a ® Ma and ® 
M B have a correlation or an anti-correlation. 

(9') Two parties, A and B, collect the outcomes to ob- 
tain Ma and Mb respectively, as in the previous 
protocols. Then the center C reveals the obtained 
results. 

We remark that the entangled states are used in Proto- 
col 2 more efficiently than in Protocol 1 since there are 
cases that the keys are discarded in Step (8) of Protocol 1 
while there is not such a case in Step (8') of Protocol 2. 



IV. PROOF OF SECURITY OF QUANTUM 
CRYPTOGRAPHIC NETWORK 

In this section, we are going to prove the security of 
the protocols presented in this paper. We first note that 
if, in Step (2') of Protocol 2, C measures each qubit of 
p{C) in the x- or y-direction instead of storing it then the 
protocol is essentially equivalent to Protocol 1, and that 
the order of the measurement does not affect the security 
of the protocol. Thus, it suffices to prove the security of 
Protocol 2. 

The secure quantum authentication scheme in '19"] en- 
sures that for any t-qubit state p, when p is transmitted 
to a member /i as p' , the fidelity F of p and p' is not 
less than 1 — £o for sufficiently small eo > 0, where the 
fidelity F of X and Y is defined by 

F{X, Y) = tr ( v/xi/2yxi/2^ ^ . (3) 

Here, p' can be considered as A^(/5) for some quantum 
channel A^. Thus, if the transmitted state is not dis- 
carded, then for any t-qubit p we can obtain the inequal- 
ity 

F{p,p')^F{p,A^(p))>l-eo. (4) 

For the detailed proof, we present a remark on a prop- 
erty of the fidelit y an d the quantum channel presented in 
Lemma 3 of Ref. |20j : Let £ be a quantum operation on a 
d-dimensional quantum system Ha, and \^!) e Ti.A Ti.R 
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a purification of a state pA on T-La, where T-Lr is a refer- 
ence system such that trj^(|^')(4'|) = pA- Suppose that 
there is e > such that 



(V|f(|V)(V'l)IV')>l-e 
for all IV') in the support of pA- Then 

(M'|[(£®Zh)(|*>(*|)]|*> 

> 1 - ( 1 + do • max{pjpfc} ) e, 



(5) 



(6) 



where do is the Schmidt number of Y^) and ,Jp] are the 
Schmidt coefficients of Y^) with respect to the bipartite 
quantum system T-La Hr. 

Since for any member p there exists a sufficiently small 
El > such that 

Fm{4,lAMm>l-ei (7) 
for all i-qubit state \^) by the inequality and 

applying the above remark to our situation, we obtain 
the following property: 

i^($,(A^®Ic)(<I>))>l- + (9) 

where $=(|$++i)(<f++i|)®*- 

As we discuss the details in Appendix, A^ is also 

a nearly perfect quantum channel and hence there is a 

sufficiently small £2 > such that 



^ ie)(ei,(g)A^(ie)(^i) >i-£2 



(10) 



for any nt-qubit pure state |^). Thus, since it follows 
from Eq. (jSJ that 



2*-l 



(11) 



3=0 



when the center transmit nt qubits of the states to all 
members, we can obtain the almost same inequality: 



F $, 



I A,, 



1 



>Ic]m]>l-[l + ,^]e2. (12) 



From this result, we can directly notice that Protocol 2 is 
secure if there are no dishonest members in the parties. 

For the analysis of the case that dishonest members 
exist in the parties, we use the investigation presented 
in By a classical probability estimate about the 

random sampling tests |3| , if there are some errors in the 
procedure then two parties can detect an error with high 
probability from sufhciently many test bits. We remark 
that each member can have an effect on the protocol just 
at the moment of announcing the basis or giving the in- 
formation on the outcomes, and that the test bits are 
chosen after the directions are announced and the infor- 
mation on the outcomes is transferred to other members. 
Therefore, since the test bits are randomly chosen, the 
dishonest members cannot escape the detection, that is, 
they cannot prevent the others from obtaining the correct 
keys without being detected. 



V. SUMMARY 

In this paper, we have presented a protocol for quan- 
tum cryptographic network consisting of a quantum net- 
work center and many users, in which any pair of parties 
with some members can secure a quantum key distribu- 
tion by help of the center. We have shown that exploiting 
the quantum authentication scheme the center can safely 
make two parties share nearly perfect entangled states 
used in the QKD on request. We have also shown that 
the quantum cryptographic network protocol is secure 
against all kinds of eavesdropping. 
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APPENDIX 

In this appendix, we show that A^ is also a nearly 
perfect quantum channel and that there is a sufficiently 
small £2 > such that 



Therefore, after executing Step (6), the parties with the 
center share the nearly perfect entangled states. 

We now need a result of Lo and Chau that if the cen- 
ter C and every members share a state having a fidelity 
exponentially close to 1 with |<I>+)®* then Eve's mutual 
information with the key is at most exponentially small. 



IO(ei,(g)A^(|0(ei) >l-e2 



(A.l) 



for any nt-qubit pure state |^). 

First we note that the last term of the inequality © is 
greater than or equal to 1 — + d/A) e since doPjPk < d/A 
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for all j k. Thus, in the property of the fidelity and 
the quantum channel presented in Lemma 3 of Ref . |2Clj| , 
if there is e > such that 



(V|f(|^)(^|)|V)>l-£ 
for all IV') G Ha, then 



(A.2) 



($1 [(s^ir) mim 1$) > 1 - (^1 + -j (A.3) 

for all |<i>) £ Ha ® Hr. Since the square root of the 
fidelity F is doubly concave , that is, for Xj — 1 



it follows from the inequality l|A.3(l that if the inequal- 
ity l|A.2(l holds then for all density matrices par on 
Ha<»Hr 



F (par, {£ (i> Ir) {par)) >l-[l + ^je. (A.5) 
Hence, we obtain from the inequalities and ljA.5|l that 



F ($, (A^ ® Ic) ($)) > 1 - (1 + 2*-2) (A.6) 
and that 

F ((J^ (g, A^, (g, Ic) ($) , (A^ ® A^, ® Ic) ($)) 
= F{p, {K^®I^,c){p)) 

> 1- (l + 2*-2)£^ (A.7) 

for p ^ p', where p = (A^- ® I^c) (^')- 

We now present a simple remark on a relation between 
the fidelity and a distance of density matrices, D, which 



is defined hy D{g, g') = trjg — p'|/2 |22|: For any density 
matrices g and g' , the following inequalities hold. 



1 - ^F{g, g') < D{g, g') <^l- F{g, g'). (A., 



Then it follows from the inequality (jA.Sp and the triangle 
inequality of D that for density matrices g, g' , and g" 



1 - VFi9, g") <D{g, g") < D{g, g') + D{g' , g") 



<Vi-F{g,g') + ^l-F{g',g"). 

(A.9) 

By virtue of the inequalities (|A.6|I . (|A.7|I . and (|A.9p . 

we obtain the foUowings: for any nt-qubit pure state |^), 



F 10(^1, (g)A^(|0(ei) > l-nv/(l + 2*-2)ei- 



(A.IO) 

Since ei is independent on n and the proof is com- 
pleted. Furthermore, it is clear that the result similar to 
the inequality (|12|l can directly be obtained in the same 
way. 

Considering the Burcs metric ds [2^ |3 defined by 



;(ap')-\/2-2F(p,p')i/^ 



(A.ll) 



since ds satisfies the triangle inequality we can actually 
obtain an inequality tighter than the inequality (jA.9|) : 
For density matrices g, g', and g" , 



l-Fig,g'r/^<Jl-F{g,g')y 



+ ^l-F{g',g")y\ (A.12) 



Therefore, from the inequality (jA.12p . we could also ob- 
tain an inequality tighter than the inequality IjA.lOp . 
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